mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 16:59:22 +02:00
authorize: rework token substitution in headers (#4456)
Currently Pomerium replaces dynamic set_request_headers tokens
sequentially. As a result, if a replacement value itself contained a
supported "$pomerium" token, Pomerium may treat that as another
replacement, resulting in incorrect output.
This is unlikely to be a problem given the current set of dynamic
tokens, but if we continue to add additional tokens, this will likely
become more of a concern.
To forestall any issues, let's perform all replacements in one pass,
using the os.Expand() method. This does require a slight change to the
syntax, as tokens containing a '.' will need to be wrapped in curly
braces, e.g. ${pomerium.id_token}.
A literal dollar sign can be included by using $$ in the input.
This commit is contained in:
Kenneth Jenkins
GitHub
parent
5568606f03
commit
e8b489eb87
4 changed files with 83 additions and 11 deletions
|
|
@ -544,7 +544,7 @@ func (p *Policy) Validate() error {
|
|||
|
||||
if p.SetAuthorizationHeader != "" {
|
||||
log.Warn(context.Background()).Msg("config: set_authorization_header is deprecated, " +
|
||||
"use $pomerium.id_token or $pomerium.access_token in set_request_headers instead")
|
||||
"use ${pomerium.id_token} or ${pomerium.access_token} in set_request_headers instead")
|
||||
}
|
||||
|
||||
return nil
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue